Every other day there’s another story about someone losing their life savings because they unknowingly clicked on a link that they thought was sent from a trusted source, whether that be their financial provider or telco company. Or, another large corporation that’s responsible for millions of customer data falls victim to a cyber attack. And when these victims realise what has happened, it’s often too late.

This was the case for Upwey-Tecoma Bowls Club which fell victim to a vicious scam, costing the local community club $120,000 in the process of rebuilding its facilities after it was severely damaged by floods in 2022.

Covered by insurance, the repair work was carried out by a contractor, and while the club had paid an initial $50,000 deposit, an outstanding amount was due upon completion of the work.

Upwey-Tecoma Bowls Club secretary Les Lane explained: “Work was finished, and the contractor said they’ll send us an invoice, so we were expecting the invoice. The invoice arrived and we paid that invoice, but then the contractor phoned me a couple of weeks later and said, ‘Les, you said you were going to pay me immediately, where’s the money?’”

“I said, ‘We’ve already paid you’, and he said, ‘No you haven’t’. I sent through the documentation, and he told me they don’t bank with the National Bank, they bank with ANZ. I realised then what had happened.”

After engaging an IT forensic specialist, it was discovered the club was the target of an email compromise scam, where hackers had tracked the club’s email history, deleted the original invoice that was sent by the contractor from the club’s inbox, and replaced it with an identical copy – the only difference in the doctored document were the bank details.

“The invoice was the invoice from the contractor, but all they had done was change the BSB and account number, so when our treasurer got it, he looked at it and said that looks like the same one and he paid them,” Lane said.

Unfortunately, the club has been unable to retrieve the money they lost, and despite fundraising efforts by the local community have been unsuccessful in recouping the total amount.

“It’s still a blow,” Lane said, noting that this incident has been a “huge lesson”.

Lane said the club no longer makes bank transfers over $2,000 without the treasurer phoning the company to confirm the account details are correct. He strongly urges other clubs to do the same. 

“Once you get that confirmation, you can then go ahead and make payment knowing that it’s going to go to the right person.”

Bowls Australia reported a similar incident in December 2022, where another club lost $20,00 to a business email compromise scam.

The threat is real

The Office of the Australian Information Commissioner (OAIC) released in February its latest data breach statistics showing that cyber attacks continue to rise. During the July to December 2023 period, there were 483 data breaches reported to the OAIC, up 19 per cent from the first half of the year.

The OAIC also found during the period the risk of outsourcing personal information handling to third parties grew significantly. The number of secondary notifications was 121, compared to only 29 secondary notifications in January to June 2023. 

“The increased occurrence of incidents that affect multiple parties is a reason we are seeing data breaches grow in complexity, scale and impact,” Australian Information Commissioner Angelene Commissioner Falk explained.

One of the most obvious and recent examples of this occurred just in May when Outabox, a third-party IT provider used by clubs including for their front-of-venue sign-in systems, suffered a major data breach, impacting over a dozen NSW clubs and putting at risk over a million customers and their personal data. 

In NSW, it’s a requirement for registered clubs to collect personal information from patrons on entry under the Registered Clubs Act 1976. However, off the back of this incident, NSW gaming minister David Harris has confirmed that Liquor and Gaming NSW will investigate whether this section of the legislation needs to be revised.

Fortunately, NSW Police arrested a 46-year-old man and charged him with demand with menaces intend to obtain gain/cause loss.

As CyberCX retail and entertainment industry lead Alex Hoffmann puts it, cases like these should serve as a stark reminder for clubs to proactively audit their third-party relationships, so there is a clear understanding of exactly which third parties hold their data and review their agreements to ensure good cyber practices are in place.

“We know that third party data breaches are something more and more companies are grappling with. More companies are outsourcing key parts of their business processes and relying on third party companies to deliver key services. But the reality is, all of this connectivity creates risk,” he said.

This is an excerpt from Club Management Winter. Read the article in full below.

Leave a comment

Your email address will not be published. Required fields are marked *